SCA: security update for github.com/quic-go/quic-go (GHSA-g754-hx8w-x2g6)

medium Tenable Self-Hosted Container Security Plugin ID 436357

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to
excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-
encoded HEADERS frame that decodes into a large header field section (many unique header names and/or
large values). The implementation builds an http.Header (used on the http.Request and http.Response,
respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on
the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0. (CVE-2025-64702)

See Also

https://github.com/advisories/GHSA-g754-hx8w-x2g6

Plugin Details

Severity: Medium

ID: 436357

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 12/11/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-64702

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/11/2025

Vulnerability Publication Date: 12/11/2025

Reference Information

CVE: CVE-2025-64702

cwe: CWE-770